Documentation
¶
Overview ¶
Package manifest parses lockfiles + manifests to produce a flat (ecosystem, name, version) list that nullify deps analyze compares between two commits.
Each ecosystem implementation lives in its own file. ParseAll dispatches by filename — callers pass a list of paths (usually computed from a git diff) and receive every parseable entry. Unknown paths are silently skipped; there's no "no parser for X" error because most repos contain files that aren't lockfiles.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ErrNoParser = errors.New("no parser matched")
ErrNoParser is returned when no registered parser matches a path. ParseAll uses errors.Is to filter it out silently — the CLI workflow doesn't need to surface "we don't know what this file is."
Functions ¶
func HasSuffixI ¶
HasSuffixI is a case-insensitive suffix match shared by every parser. Saves every Matches() from importing strings directly.
Types ¶
type Ecosystem ¶
type Ecosystem string
Ecosystem is a package ecosystem identifier. Values match the vdb_ecosystem enum the vuln-database expects, so they travel from the CLI to scpm to vuln-database untransformed — keep them in sync with that enum when adding a parser.
type Entry ¶
type Entry struct {
Ecosystem Ecosystem
Name string
Version string
// File is the repo-relative path this entry came from — useful for
// error reporting and for scpm's audit log.
File string
// Direct is true when the lockfile declares the package at the top
// level of its "dependencies" block. False for transitive deps.
// Some formats (go.sum, Cargo.lock) don't distinguish; in that
// case we leave it false and document the limitation per-parser.
Direct bool
}
Entry is one parsed dependency record.
type File ¶
ParseAll applies every registered parser to the given paths + data slice. The slice is (path, contents) pairs; missing entries are skipped. Returns a flat slice of Entry + a map of path→parser-error for entries the parser matched but couldn't parse (malformed lockfile, partial write, etc.).
type GemfileLock ¶
type GemfileLock struct{}
func (*GemfileLock) Matches ¶
func (g *GemfileLock) Matches(path string) bool
func (*GemfileLock) Name ¶
func (g *GemfileLock) Name() string
type Parser ¶
type Parser interface {
Name() string
Matches(repoRelPath string) bool
Parse(data []byte, repoRelPath string) ([]Entry, error)
}
Parser is the per-file-format interface. Implementations are registered in parsers.go. Parse is given the file's bytes + its repo-relative path; it returns a flat Entry slice or an error.
func DefaultParsers ¶
func DefaultParsers() []Parser
DefaultParsers returns the full set in a stable order. Sequence matters only for tiebreaking when two parsers claim the same path (shouldn't happen with the current set).
func NewCargoLock ¶
func NewCargoLock() Parser
func NewGemfileLock ¶
func NewGemfileLock() Parser
func NewNPMLock ¶
func NewNPMLock() Parser
func NewPyPILock ¶
func NewPyPILock() Parser
Source Files